Activating Azure Rights Management

Applies to: Azure Information Protection, Office 365


This configuration information is for administrators who are responsible for a service that applies to all users in an organization. If you are looking for user help and information to use the Rights Management functionality for a specific application or how to open a file or email that is rights-protected, use the help and guidance that accompanies your application.

For example, for Office applications, click the Help icon and enter search terms such as Rights Management or IRM. For the Azure Information Protection client for Windows, see the Azure Information Protection client user guide.

For technical support and other questions about the service, see the Support options and community resources information.

When the Azure Rights Management service for Azure Information Protection is activated for your tenant, your organization can start to protect important data by using applications and services that support this information protection solution. Administrators can also manage and monitor protected files and emails that your organization owns. This service must be enabled before you can begin to use the information rights management (IRM) features within Office, SharePoint, and Exchange, and protect any sensitive or confidential file.

If you want to learn more about the Azure Rights Management service before you activate the it—for example, what business problems it solves, some typical use cases, and how it works—see What is Azure Rights Management?


Do not activate the Azure Rights Management service if you have Active Directory Rights Management Services (AD RMS) deployed for your organization. More information

Before you activate Rights Management, make sure that your organization has a service plan that includes Azure Rights Management data protection. If not, you will not be able to activate Azure Rights Management. You must have one of the following:

When the Azure Rights Management service is activated, all users in your organization can apply information protection to their files, and all users can open (consume) files that have been protected by the Azure Rights Management service. However, if you prefer, you can restrict who can apply information protection, by using onboarding controls for a phased deployment. For more information, see the Configuring onboarding controls for a phased deployment section in this article.

For instructions how to activate the Rights Management service from your management portal, select whether to use the Office 365 admin center or the Azure portal:

Alternatively, you can use PowerShell to activate Rights Management:

  1. Install the Azure Rights Management Administration Tool, which installs the Azure Rights Management administration module. For instructions, see Installing Windows PowerShell for Azure Rights Management.

  2. From a PowerShell session, run Connect-AadrmService, and when prompted, provide the global administrator account details for your Azure Information Protection tenant.

  3. Run Enable-Aadrm, which activates the Azure Rights Management service.

Configuring onboarding controls for a phased deployment

If you don’t want all users to be able to protect files immediately by using Azure Rights Management, you can configure user onboarding controls by using the Set-AadrmOnboardingControlPolicy PowerShell command. You can run this command before or after you activate the Azure Rights Management service.


To use this command, you must have at least version of the Azure Rights Management PowerShell module.

To check the version you have installed, run: (Get-Module aadrm –ListAvailable).Version

For example, if you initially want only administrators in the “IT department” group (that has an object ID of fbb99ded-32a0-45f1-b038-38b519009503) to be able to protect content for testing purposes, use the following command:

Set-AadrmOnboardingControlPolicy -UseRmsUserLicense $False -SecurityGroupObjectId "fbb99ded-32a0-45f1-b038-38b519009503"

Note that for this configuration option, you must specify a group; you cannot specify individual users. To obtain the object ID for the group, you can use Azure AD PowerShell—for example, for version 1.0 of the module, use the Get-MsolGroup command. Or, you can copy the Object ID value of the group from the Azure portal.

Alternatively, if you want to ensure that only users who are correctly licensed to use Azure Information Protection can protect content:

Set-AadrmOnboardingControlPolicy -UseRmsUserLicense $True

When you no longer need to use onboarding controls, whether you used the group or licensing option, run:

Set-AadrmOnboardingControlPolicy -UseRmsUserLicense $False

For more information about this cmdlet and additional examples, see the Set-AadrmOnboardingControlPolicy help.

When you use these onboarding controls, all users in the organization can always consume protected content that has been protected by your subset of users, but they won’t be able to apply information protection themselves from client applications. For example, they won’t see in their Office clients the default templates that are automatically published when the Azure Rights Management service is activated, or custom templates that you might configure. Server-side applications, such as Exchange, can implement their own per-user controls for Rights Management integration to achieve the same result.

Next steps

Now that you’ve activated Azure Rights Management for your organization, use the Azure Information Protection deployment roadmap to check whether there are other configuration steps that you might need to do before you roll out Azure Information Protection to users and administrators.

For example, you might want to use templates to make it easier for users to apply information protection to files, connect your on-premises servers to use Azure Rights Management by installing the Rights Management connector, and deploy the Azure Information Protection client that supports protecting all file types on all devices.

Office services, such as Exchange Online and SharePoint Online require additional configuration before you can use their Information Rights Management (IRM) features. For information about how your applications work with the Rights Management service, see How applications support the Azure Rights Management service.


Before commenting, we ask that you review our House rules.